log4j

story

Logo from Log4js

The project was founded by Ceki Gülcü in 1996 while working at the IBM development laboratory in Zurich. Today it is part of the logging project of the Apache Software Foundation and is under the Apache license 2.0. It originated at a time when there were no logging mechanisms in the Java standard libraries. Nowadays it is the log system of choice for many software developers due to its sophistication and configurability .

The transmission of the log4j concepts to other programming languages ​​and platforms is so great that there have been quite a few adaptations in the meantime. Some are maintained by the Apache logging project itself. For example:

• log4cxx for C ++ with configuration files compatible with Log4J
• log4Net for .Net
• log4php for PHP

However, many variants are developed outside of Apache Logging:

• log4C for C
• log4cplus for C ++
• log4cpp for C ++
• Log4Qt for Qt
• Log4js for JavaScript
• log4perl for Perl
• log4D for Delphi
• log4sh for Unix shells
• log4plsql for Oracle PL / SQL
• log4sas for SAS Institute
• AndroidLoggingLog4J
• Logging module for Python

Log4j 2 has been available as the successor to log4j 1.x since July 2014.

The Apache logging project

The Apache Logging project tries to bring log4j-like systems together for various programming languages. So far these are log4j, log4cxx, log4net, log4php and Chainsaw (a log file viewer and analysis tool).

In addition, so-called companions are being developed that provide additional functionality for Apache log4j.

functionality

Instead of outputting errors and information messages on the standard output, log4j is used to forward the messages to the selected logging system via so-called loggers ("appender"). In addition to the selection of the logging system, based on the importance ("log level") of the message, a decision is made as to whether it will be forwarded at all. The programmer only has to worry about the importance of the messages when creating the program. The filtering and type of output can be configured at runtime.

Log4j is designed for the highest possible speed so that logging does not negatively affect system performance. The decision as to whether a message has to be output, even on an outdated system (AMD Duron with 800 MHz, JDK 1.3.1), takes only 5 nanoseconds, the output itself - depending on which layout is used - between 21 and 37 microseconds .

Issue scope

In the configuration file, the output can be filtered depending on the importance of the messages. The output volume increases with the assigned importance level and includes all messages of the level itself, as well as all even more urgent levels. The order is as follows: ALL → TRACE → DEBUG → INFO → WARN → ERROR → FATAL → OFF.

The following guide values ​​apply to the classification of importance:

ALLES

All messages are output unfiltered

TRACE

detailed debugging (from version 1.2.12), comments

DEBUG

general debugging (finding errors)

INFO

General information (program started, program ended, connection to host Foo established, processing took SoUndSo many seconds ...)

WARN

An unexpected situation occurs

ERROR

Error (exception was caught. Processing was continued as an alternative)

FATAL

Critical error, program termination

OFF

Logging is deactivated

Appender

The output target (s) of the generated logging outputs can be set using the appender.

The most important types of appenders are as follows:

ConsoleAppender

Outputs to standard output

FileAppender

Writes to a file

RollingFileAppender

Starts a new file from a certain size

DailyRollingFileAppender

Starts a new file at certain times

SyslogAppender

Logs using the syslog service

JDBCAppender

Writes to a database

NTEventLogAppender

Writes to the event log of the Windows system

SMTPAppender

Sends an email for certain messages.

SocketAppender

Sends the log message to a configured socket listener.

LogCatAppender

Logs into the Android LogCat

Additional appenders can be added at any time.

configuration

The configuration files define the behavior of log4j using the following components:

Appender

By configuring the corresponding appender class, these determine where the log output should be written and, by configuring the layout, how it should be written there. In addition to the pure message, the importance, date, logger name, class name and method name down to the exact line of code can also be output by means of a pattern.

Logger

A logger is an object that takes on the logging tasks of a class. It is identified by its name. Usually the class name is used as the name for the logger. However, it is also possible to use a fantasy name that is used by several classes. A typical example might be: Logger log = Logger.getLogger(org.wikipedia.MyClass).
This can be used to control the logging behavior of a class. Since the logger also receives the package information, it is also possible to configure logging for entire (super) packages.
The configuration file can then contain the logger name - e.g. B. "org.wikipedia.MyClass" - and also contain the desired log level. As already mentioned, it is possible to define a configuration for a package such as "org.wikipedia".
In addition, one or more appenders can be defined either generally or specifically for each logger. This makes it possible, for example, not only to write fatal errors to a file, but also to send them to an administrator via email at the same time.
In addition to these classic configurations, log4j 2.0 also offers more modern options for intervening in the logging behavior. For example, so-called markers are supported.

Another useful feature is the mapped diagnostic context. A value is assigned to a context variable and it can be referenced in the configuration file. Each thread has its own context and can provide additional information such as B. log the address of the client in a server application.

example

The following XML configuration configures an application in such a way that FATAL errors from external libraries are logged to the console, ERROR errors from your own application are also sent by e-mail, and INFO messages are also logged for a specific component and even DEBUG messages for a certain class.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE log4j:configuration PUBLIC "-//APACHE//DTD LOG4J 1.2//EN"
    "http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/xml/doc-files/log4j.dtd">
<log4j:configuration>
  <!-- Appender für eine einzeilige Ausgabe an der Konsole -->
  <appender name="Konsole" class="org.apache.log4j.ConsoleAppender">
    <layout class="org.apache.log4j.PatternLayout">
      <param name="ConversionPattern"
        value="%d{ABSOLUTE} %5p %c{1}:%L - %m%n" />
    </layout>
  </appender>

  <!-- Appender für dieselbe Ausgabe via email -->
  <appender name="mail" class="org.apache.log4j.net.SMTPAppender">
    <param name="SMTPHost" value="smtp.myservername.xx" />
    <param name="From" value="email@fromemail.xx" />
    <param name="To" value="toemail@toemail.xx" />
    <param name="Subject" value="[LOG] ..." />
    <param name="BufferSize" value="1" />
    <param name="threshold" value="error" />
    <layout class="org.apache.log4j.PatternLayout">
      <param name="ConversionPattern"
        value="%d{ABSOLUTE} %5p %c{1}:%L - %m%n" />
    </layout>
  </appender>

  <!-- ERROR-Logger für alle Klassen meiner Applikation -->
  <logger name="com.myapp">
    <level value="error"/>
    <appender-ref ref="Konsole" />
    <appender-ref ref="mail" />
  </logger>

  <!-- INFO-Logger für eine spezifische Komponente -->
  <logger name="com.myapp.mycomponent">
    <level value="info"/>
  </logger>

  <!-- DEBUG-Logger für eine spezifische Klasse -->
  <logger name="com.myapp.mycomponent.MyClass">
    <level value="debug"/>
  </logger>

  <!-- FATAL-Logger für die gesamte Applikation (inkl. Bibliotheken) -->
  <root>
    <level value="fatal" />

    <!-- loggt auf Konsole - wenn nicht in Sub-Loggern anders definiert -->
    <appender-ref ref="Konsole" />
  </root>
</log4j:configuration>

Apache log4j 2

Version 2 was rewritten from scratch, even if parts of log4j 1.x were taken over. The new version has a modern interface, as is also known from logback . It also supports slf4j native. At the same time, the weaknesses of logback were analyzed and attempts to improve. For example, log4j 2 does not lose any logging events when the system is reconfigured. In addition, a plug-in architecture was provided and configuration using JSON was made possible.

The project is currently planning occasional maintenance releases of the 1.x series, but will focus more and more on the 2.x series.

The Apache website lists some of the differences between log4j1 and log4j2.

Vulnerability found in December 2021

On December 10, 2021, a zero-day vulnerability in log4j version 2 became known ( CVE -2021-44228), which attackers could exploit to execute code on the respective host system (remote code execution) and thus, for example, to gain computing power from the infected Using servers to do crypto mining . According to F-Secure , there have also been ransomware attacks. Affected services include Amazon Web Services , Steam and iCloud . According to the Federal Office for Information Security (BSI), reports from CERT sources show that global mass scans and attempted compromises took place in the course of the zero-day gap. The BSI referred to an "incomplete list" of 140 companies that are particularly vulnerable.

Alternatives

• Java Logging - part of the Java class library since Java 1.4; similar to log4j, less appender, no pattern layout
• Apache Commons Logging - interface for freely exchangeable logging frameworks, including log4j
• tinylog - slim logging framework with a static logger

literature

• Samudra Gupta, Pro Apache Log4j , Apress, June 22, 2005, ISBN 978-1-59059-499-5 , http://www.apress.com/book/view/9781590594995
• Ceki Gulcu, The Complete Log4j Manual , QOS.ch, May 7, 2003, ISBN 978-2-9700369-0-6 , https://www.qos.ch/shop/products/log4j/log4j-Manual.jsp

Web links

• log4j web pages (English)
  • Manual and articles (English)
• log4j Wiki (English)
• Log4j introduction with Tomcat examples by Sebastian Hennebrueder
• CVE-2021-44228

Individual evidence

1. ↑ github.com . December 13, 2021.
2. ↑ Apache Log4j 2.16.0 Released . December 13, 2021 (accessed December 13, 2021).
3. ^ Rolf Kulemann: android-logging-log4j. Logging with Log4J in Android ¦ providing LogCat appender and configuration facade. Retrieved November 29, 2011 . 
4. ↑ 14.5 logging - Logging facility for Python. Retrieved March 16, 2020 . 
5. ↑ Apache log4php - Welcome - Apache log4php. Retrieved March 16, 2020 . 
6. ↑ Welcome - Apache Logging Services. Retrieved March 16, 2020 . 
7. ↑ Apache log4j 1.2 -. Accessed March 16, 2020 . 
8. ↑ Level (Apache Log4j 1.2.17 API) . Logging.apache.org. June 9, 2012. Retrieved July 24, 2014.
9. ^ The new log4j 2.0. Retrieved March 16, 2020 . 
10. ↑ Log4j - Migrating from Log4j 1.x. Retrieved March 16, 2020 . 
11. ↑ heise online: Critical zero-day gap in Log4j endangers numerous servers and apps. Retrieved December 10, 2021 . 
12. ↑ ^{a b c} Max Hoppenstedt: Log4-J vulnerability: "Unfortunately, hackers also work overtime" . In: The mirror . December 12, 2021, ISSN  2195-1349 ( spiegel.de [accessed December 12, 2021]). 
13. ↑ Critical vulnerability published in log4j (CVE-2021-44228). In: www.bsi.bund.de. Retrieved December 14, 2021 . 
14. ↑ 262588213843476: BlueTeam CheatSheet * Log4Shell * | Last updated: 2021-12-14 0006 UTC. Accessed December 14, 2021 . 
15. ↑ 唐小 风: CVE-2021-44228 (Apache Log4j Remote Code Execution）. December 13, 2021, accessed December 13, 2021 . 
16. ↑ Source code. Retrieved December 13, 2021 . 
17. ↑ reified generics for Java. Retrieved December 13, 2021 .